Erik Eckel highlights three common security failures that stand out from his years of IT consulting work. Make sure your clients are protected from these blunders.
Humility is an important quality in IT consultants. The industry has a way of knocking consultants down a peg and reminding professionals to mind their fundamentals when overconfidence sets in. Security, however, is an area in which consultants can't afford lapses, especially since Sarbanes-Oxley, HIPAA, and data sensitivity have become critical issues.
When I inherit systems, servers, workstations, and networks developed and administered by others, I see other IT consultants' mistakes. I've also seen security failures at the companies where I've worked.
Some security errors are simple brain-dead mistakes, such as affixing administrative usernames and passwords to a server via a Post-it note; other security offenses are less subtle, such as using the same password structure for each client. (Because of one competitor's administrative password naming scheme, I can now log on to any of their clients' systems replicating a simple password pattern.)
Of all the security failures that I've seen, there are three common ones that stand out. Review your consultancy's practices to ensure clients are protected from these blunders.
#1. Permitting simple passwords
I'm truly shocked at how many so-called IT professionals permit users and colleagues to set simple passwords that consist of just letters and even words found in common dictionaries. Simple passwords are easily hacked, which can lead to identity theft, unauthorized use of proprietary data, embarrassing leaks, and federal data standard violations.
In racing, when newbies complain of the cost of a good helmet, the seasoned veteran answers "if you have a ten-dollar head, wear a ten-dollar helmet." If a client has gone to the trouble of investing heavily in firewalls, encryption applications, and additional security parameters, they should invest in requiring complex passwords. Whether the client is protecting a router, a user account, an email address, or another system, you need to insist that employees use eight character or longer passwords that use all of the following: uppercase letters, lowercase letters, numbers, and special characters.
Sure, such passwords are inconvenient, but that's the point. Passwords are a critical component of typically multiple-tiered security systems that are all too often negated as a result of nonchalance. If I can memorize the 26 phonetic alphabet codes, and coworkers can commit to memory the 486 tongue-twisting words to the I Am The Very Model Of A Modern Major General song from The Pirates of Penzance, users can memorize eight to 10 or more characters.
Also, be sure your passwords don't follow the same naming patterns because that's too simple, even if you use complex characters. For example, if one discovers that Acme's server administrative password is Acme*123, it's not going to be too difficult to determine that the Smith company's administrative password is Smith*123, is it?
#2. Deploying equipment using default passwords
IT consultants who deploy business-class equipment using default passwords should return whatever service fees they collect to their clients. Exhaustive lists of default passwords are a simple Google search away. This is exponentially more important when deploying routers, firewalls, and other systems that are accessible from the Internet.
As I explain to clients, your data or company doesn't need to be all that sexy to be of interest — far from it. Hackers write robotic programs that scour the Internet for nodes that respond. Once a node responds, the device becomes a target for attack. This is true whether the device is stationed inside a plumber's office or a bank.
When organizations need to ensure remote administration of devices is possible, your office can work to restrict authorized connections via originating IP addresses to tighten security. But whenever a security device or any node is connected to the Internet, default passwords should be changed. By using tough-to-crack passwords on equipment, you make it difficult for unauthorized users to gain access, whether those unauthorized users are bored internal employees, angry and disgruntled ex-workers, or black hat criminals.
#3. Sharing passwords via unencrypted email
It never fails. Organizations invest in enterprise-class firewalls, deploy disk encrypting software, and institute multiple-tiered logins — which each require different usernames and passwords that must regularly be reset and cannot match previously used passwords — and then someone emails the keys to the kingdom via unencrypted email. Forwarding administrative passwords via unprotected email, even to authorized users or colleagues, is a practice all IT consultants should eliminate.
Email is inherently insecure. Messages pass not only through the sender's email server but to the recipient's server and through an inestimable number of systems in between. Each step in the chain offers the potential for unauthorized users.
I used to be more cavalier regarding security, but years of IT consulting and experiencing the myriad and shocking ways in which businesses battle competitors, disgruntled staff, and others, I place a much greater emphasis on following security fundamentals. One excellent security fundamental that will help keep systems safe is avoiding sending passwords via clear text email. Just don't do it.